---------- Forwarded message ---------- From: Ajith Vitharana <[email protected]> Date: Thu, Mar 14, 2013 at 6:02 PM Subject: Re: Access denied to generate the OAuth Access token for REST API. To: Sriragu Arudsothy <[email protected]> Cc: [email protected], Prabath Siriwardana <[email protected]>, Senaka Fernando <[email protected]>, Eranda Sooriyabandara <[email protected]>
Hi Ragu, Please discuss those things on dev list. No need to be private. Thanks Ajith On Mar 14, 2013 5:44 PM, "Sriragu Arudsothy" <[email protected]> wrote: > > Since the admin/manage permission is defined to use the OAuthAdminService at the identity.oauth component's service.xml file. Therefore any user role has the above permission is able to generate the access token. it is given below. > > <parameter name="AuthorizationAction" locked="false">/permission/admin/manage</parameter> > > But by default, API publisher/subscriber role can't generate the token since they don't have the above permission. but if we created a new role including the manage permission or update the above roles with the manage permission will able to generate the token. > > I have modified the code as follows: If the login user has the admin/manage permission, who can see the Registry REST API panel under the user management and able to generate the token. > > Thanks! > Ragu > > > On Thu, Mar 14, 2013 at 3:42 PM, Senaka Fernando <[email protected]> wrote: >> >> Hi Ragu, >> >> We are going in circles, :). Ok, so what admin permission do you need for this OAuthAdminService? >> >> Thanks, >> Senaka. >> >> >> On Thu, Mar 14, 2013 at 1:42 AM, Sriragu Arudsothy <[email protected]> wrote: >>> >>> Thanks for responding prabath..! >>> >>> Hai Greg, >>> >>> Therefore according to the current user management perspective, If the user does not have the admin permissions , who is not able to generate the access token since it uses the OAuthAdminService to register an app. So that, he/she is unable to access the REST API. >>> >>> Therefore Why do we need to show the Registry REST API panel under the user management for the users not assigned to admin role ??? >>> >>> Thanks! >>> Ragu >>> >>> On Wed, Mar 13, 2013 at 5:28 PM, Prabath Siriwardena <[email protected]> wrote: >>>> >>>> Earlier anyone can access anything.. It was security hole and now its fixed.. >>>> >>>> Thanks & regards, >>>> -Prabath >>>> >>>> >>>> On Wed, Mar 13, 2013 at 5:22 PM, Sriragu Arudsothy <[email protected]> wrote: >>>>> >>>>> I am not sure who is..! I guess the IS team did significant amount of work on User-management for WM release. They have done a major refactoring on User-management. >>>>> >>>>> Thanks! >>>>> Ragu >>>>> >>>>> >>>>> >>>>> On Wed, Mar 13, 2013 at 4:49 PM, Senaka Fernando <[email protected]> wrote: >>>>>> >>>>>> Hi Ragu, >>>>>> >>>>>> May be somebody changed the permissions of the admin service? >>>>>> >>>>>> Thanks, >>>>>> Senaka. >>>>>> >>>>>> >>>>>> On Wed, Mar 13, 2013 at 6:43 AM, Sriragu Arudsothy <[email protected]> wrote: >>>>>>> >>>>>>> Hai ! >>>>>>> >>>>>>> there were some restrictions after updated. >>>>>>> 1) There were more restrictions on admin services regarding the user management aspects. Earlier, whoever has the login permission to login to the Greg console were able to generate the OAuth access token to access the Registry REST API. I tested the current REST API today with the recent update. If the user has the admin role/above is allowed to generate the access token since OAuthAdminService is used to register an app and generate the access token using the generated client id/secret for the given user. >>>>>>> >>>>>>> I have assigned API Publisher and subscriber roles for 2 users, when tested there were denied access to register an app. Therefore unable to get the access token. The following error was thrown. >>>>>>> >>>>>>> [2013-03-13 15:22:53,525] ERROR {java.lang.Class} - Access Denied. Failed authorization attempt to access service 'OAuthAdminService' operation 'getAllOAuthApplicationData' by 'ragu' >>>>>>> [2013-03-13 15:22:53,526] ERROR {org.apache.axis2.engine.AxisEngine} - Access Denied. >>>>>>> org.apache.axis2.AxisFault: Access Denied. >>>>>>> >>>>>>> where the "ragu" has been assigned API publisher role. >>>>>>> >>>>>>> Is there any alternative way we can allow every body has the login permission to generate the Token as like earlier? >>>>>>> >>>>>>> Thanks! >>>>>>> Ragu >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> >>>>>> Senaka Fernando >>>>>> Member - Integration Technologies Management Committee; >>>>>> Technical Lead; WSO2 Inc.; http://wso2.com >>>>>> Member; Apache Software Foundation; http://apache.org >>>>>> >>>>>> E-mail: senaka AT wso2.com >>>>>> P: +1 408 754 7388; ext: 51736; M: +94 77 322 1818 >>>>>> Linked-In: http://linkedin.com/in/senakafernando >>>>>> >>>>>> Lean . Enterprise . Middleware >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Mobile : +94 71 809 6732 >>>> >>>> http://blog.facilelogin.com >>>> http://RampartFAQ.com >>> >>> >> >> >> >> -- >> >> >> Senaka Fernando >> Member - Integration Technologies Management Committee; >> Technical Lead; WSO2 Inc.; http://wso2.com >> Member; Apache Software Foundation; http://apache.org >> >> E-mail: senaka AT wso2.com >> P: +1 408 754 7388; ext: 51736; M: +94 77 322 1818 >> Linked-In: http://linkedin.com/in/senakafernando >> >> Lean . Enterprise . Middleware > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
